Update Azure SQL server guide (#20705)

* docs(database-access): update Azure SQL server guide * make bullet notation consistent * consistent parentheticals * copy edits * optimize image for web * feat(docs): update system managed identity image --------- Co-authored-by: alexfornuto <alex.fornuto@goteleport.com>
2024-10-20 01:03:40 +00:00 · 2023-01-30 11:26:35 -03:00 · 2023-01-30 11:26:35 -03:00 · 2ec17fd7e6
parent f00f35bfc8
commit 2ec17fd7e6
2 changed files with 106 additions and 70 deletions
--- a/docs/img/database-access/guides/sqlserver/system-managed-identity.png
+++ b/docs/img/database-access/guides/sqlserver/system-managed-identity.png
--- a/docs/pages/database-access/guides/azure-sql-server-ad.mdx
+++ b/docs/pages/database-access/guides/azure-sql-server-ad.mdx
@ -62,7 +62,88 @@ login to SQL Server.

 ![Azure SQL Server Azure Active Directory admin page](../../../img/database-access/guides/sqlserver/azure-set-ad-admin.png)

-## Step 4/9. Configure Azure Managed Identities
+## Step 4/9. Configure IAM permissions for Teleport
+
+The Teleport Database Service needs Azure IAM permissions to:
+- Discover and register SQL Server instances.
+- Fetch virtual machine managed identities used for login.
+
+### Configure an Azure service principal
+
+Teleport requires the following permissions:
+- `<resource-type>/read` permissions for discovery, but only for the resource
+  types you have. For example, `Microsoft.Sql/managedInstances/read`.
+- `Microsoft.Compute/virtualMachines/read`.
+
+Here is a sample role definition allowing Teleport to read **Azure SQL Servers**
+and **Azure SQL Managed Instances**:
+
+```json
+{
+    "properties": {
+        "roleName": "SQLServerAutoDiscovery",
+        "description": "Allows Teleport to discover SQL Servers and SQL Managed Instances.",
+        "assignableScopes": [
+            "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+        ],
+        "permissions": [
+            {
+                "actions": [
+                    "Microsoft.Sql/managedInstances/read",
+                    "Microsoft.Sql/servers/read",
+                    "Microsoft.Compute/virtualMachines/read"
+                ],
+                "notActions": [],
+                "dataActions": [],
+                "notDataActions": []
+            }
+        ]
+    }
+}
+```
+
+The `assignableScopes` field above includes a subscription
+(`/subscriptions/<subscription>`), allowing the role to be assigned at any
+resource scope within that subscription or the subscription scope itself.
+If you want to further limit the `assignableScopes`, you can use a resource
+group (`/subscriptions/<subscription>/resourceGroups/<group>`) or a management
+group (`/providers/Microsoft.Management/managementGroups/<group>`) instead.
+
+Go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade)
+page and select a subscription.
+
+Click on **Access control (IAM)** in the subscription and select **Add** >
+**Add custom role**:
+
+![IAM custom role](../../../img/database-access/guides/azure/add-custom-role@2x.png)
+
+In the custom role creation page, click the **JSON** tab and click **Edit**,
+then paste the JSON example and replace the subscription in `assignableScopes`
+with your own subscription id:
+
+![Create JSON role](../../../img/database-access/guides/sqlserver/create-role-from-json.png)
+
+## Step 5/9. Configure virtual machine identities
+
+In the Teleport Database Service virtual machine's **Identity**
+section, enable the system assigned identity. This is used by Teleport to access
+Azure APIs.
+
+![System assigned identity page](../../../img/database-access/guides/sqlserver/system-managed-identity.png)
+
+To grant Teleport permissions, the custom role you created must be assigned to
+the virtual machine system assigned identity. On the same page, click on the **Azure
+role assignments**, then on **Add role assignment**. Select the custom role and
+save.
+
+<Admonition type="note" title="Azure Role Assignments">
+The role assignment should be at a high enough scope to allow the Teleport Database Service to discover
+all matching databases. See
+[Identify the needed scope](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-3-identify-the-needed-scope)
+for more information about Azure scopes and creating role assignments.
+</Admonition>
+
+### Login identities

 The Teleport Database Service needs access tokens from Azure AD to authenticate with
 SQL Server databases.
@ -82,7 +163,7 @@ created:

 ![Azure Virtual machine user managed identities page](../../../img/database-access/guides/sqlserver/azure-attach-managed-identity-vm.png)

-## Step 5/9. Enable managed identities login on SQL Server
+## Step 6/9. Enable managed identities login on SQL Server

 Azure AD SQL Server integration uses database-level authentication (contained
 users), meaning we must create a user for our identities on each database we
@ -105,7 +186,7 @@ the user as a member of the `db_datareader` role:
 ALTER ROLE db_datareader ADD MEMBER [sqlserver-identity];
 ```

-## Step 6/9. Create a Database Service configuration
+## Step 7/9. Create a Database Service configuration

 Install Teleport on the host where you will run the Teleport Database Service:

@ -138,71 +219,6 @@ The command will generate a Database Service configuration with Azure SQL
 Server auto-discovery enabled in the `eastus` region and place it at the
 `/etc/teleport.yaml` location.

-## Step 7/9. Configure IAM permissions for Teleport
-
-The Teleport Database Service needs Azure IAM permissions to discover and
-register SQL Server instances.
-
-### Configure an Azure service principal
-
-(!docs/pages/includes/database-access/azure-configure-service-principal.mdx!)
-
-### Create a custom role
-
-Teleport requires `<resource-type>/read` permissions for discovery, but
-only for the resource types you have.
-
-Here is a sample role definition allowing Teleport to read **Azure SQL Servers**
-and **Azure SQL Managed Instances**:
-
-```json
-{
-    "properties": {
-        "roleName": "SQLServerAutoDiscovery",
-        "description": "Allows Teleport to discover SQL Servers and SQL Managed Instances.",
-        "assignableScopes": [
-            "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-        ],
-        "permissions": [
-            {
-                "actions": [
-                    "Microsoft.Sql/managedInstances/read",
-                    "Microsoft.Sql/servers/read"
-                ],
-                "notActions": [],
-                "dataActions": [],
-                "notDataActions": []
-            }
-        ]
-    }
-}
-```
-
-The `assignableScopes` field above includes a subscription
-`/subscriptions/<subscription>`, allowing the role to be assigned at any
-resource scope within that subscription or the subscription scope itself.
-If you want to further limit the `assignableScopes`, you can use a resource
-group (`/subscriptions/<subscription>/resourceGroups/<group>`) or a management
-group (`/providers/Microsoft.Management/managementGroups/<group>`) instead.
-
-Now go to the [Subscriptions](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade)
-page and select a subscription.
-
-Click on **Access control (IAM)** in the subscription and select **Add** >
-**Add custom role**:
-
-![IAM custom role](../../../img/database-access/guides/azure/add-custom-role@2x.png)
-
-In the custom role creation page, click the **JSON** tab and click **Edit**,
-then paste the JSON example and replace the subscription in `assignableScopes`
-with your own subscription id:
-
-![Create JSON role](../../../img/database-access/guides/sqlserver/create-role-from-json.png)
-
-### Create a role assignment for the Teleport Database Service principal
-
-(!docs/pages/includes/database-access/azure-assign-service-principal.mdx!)
-
 ## Step 8/9. Start Teleport Database Service

 Start the Database Service:
@ -273,7 +289,7 @@ connect with is not attached to the Teleport Database Service virtual machine.
 You can navigate to the [Virtual Machines](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines) page within Azure Portal,
 open the **Teleport instance**, **Identity** section, and choose **User
 assigned** to see all identities you can connect with. If you don’t see your
-identity check [Step 4](#step-49-configure-azure-managed-identities) to see how
+identity check [Step 4](#login-identities) to see how
 to add it.

 ### Login failed for the user
@ -281,9 +297,29 @@ to add it.
 When connecting to your database, and you see the error `mssql: login error: Login
 failed for user '<token-identified principal>'`, it means your managed identity
 login is not present on the SQL database. You’ll need to create their users as
-described in [Step 5](#step-59-enable-managed-identities-login-on-sql-server).
+described in [Step 6](#step-69-enable-managed-identities-login-on-sql-server).
 Remember: you must create the users on all databases you want to connect.

+### Timeout connecting to the database
+
+If you receive the error `i/o timeout issue` when connecting to your database,
+please check if the Teleport Database service can reach the database on
+Azure.
+
+In case your database is public, you can enable it to receive connections
+from Azure services without creating firewall rules: Go to your database page,
+**Network** tab, and at the bottom of the page in the **Exceptions** section
+check the option "Allow Azure services and resources to access this server" and
+save.
+
+If your database is not public and it is using private endpoints, ensure that
+they're on the same VPC, or if the Teleport VM VPC is peering with the database
+one.
+
+To check if the VM has access, you can do the following on the VM:
+- Using `netcat`: `nc -v youradatabase.database.windows.net 1433`
+- Using `telnet`: `telnet yourdatabase.database.windows.net 1433`
+
 ## Next steps

 (!docs/pages/includes/database-access/guides-next-steps.mdx!)